Protect: Establish controls to detect and respond to breaches
Detecting and responding to data breaches
In certain cases, the GDPR requires that if a data breach occurs, organisations need to rapidly notify regulators. In some cases, organisations will also need to notify the affected data subjects. In order to meet this requirement, organisations will benefit from being able to monitor for and detect system intrusions.
For incidents where we hold some or all of the responsibility to respond, we have established detailed Security Incident Response Management processes such as outlined for Azure and Office 365.
In addition, we outline how we work collaboratively with our customers under a Shared Responsibility Model outlined in the Shared Responsibilities in Cloud Computing white paper.
Once you have detected a potential breach, we recommend, and use for our own incident response program, a four-step process:
- Assess the impact and severity of the event. Based on evidence, the assessment may or may not result in further escalation to a Cybersecurity/Data Protection response team.
- Conduct a technical or forensic investigation, and identify containment, mitigation, and workaround strategies. If the Cybersecurity/Data Protection team believes that personal data may have become exposed to an unlawful or unauthorised individual, a notification process begins in parallel as called for in the GDPR.
- Create a recovery plan to mitigate the issue. Crisis containment steps such as quarantining affected systems should occur immediately and in parallel with diagnosis. Longer term mitigations may be planned which occur after the immediate risk has passed.
- Create a post-mortem that outlines the details of the incident, with the intention to revise policies, procedures and processes to prevent a reoccurrence of the event. This stage is in line with Article 31 of the GDPR to record the facts surrounding the breach, its effects and the remedial action taken.
Azure
Protecting personal data in your systems and reporting on and reviewing for compliance are key requirements of the GDPR. The following Azure services and tools will help you meet these GDPR obligations:
- Integrated services with Azure enable you to more quickly and easily understand the overall security posture as well as detect and investigate threats to your cloud environment. Azure Security Center employs advanced security analytics. Breakthroughs in big data and machine learning technologies are used to evaluate events across the entire cloud fabric—detecting threats that would be impossible to identify using manual approaches, and predicting the evolution of attacks. These security analytics include:
- Integrated threat intelligence, which looks for known bad actors by using global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC) and external feeds.
- Behavioural analytics, which applies known patterns to discover malicious behaviour.
- Anomaly detection, which uses statistical profiling to build a historical baseline. It alerts on deviations from established baselines that conform to a potential attack vector.
Additionally, Security Center provides prioritised security alerts that give you insights into the attack campaign, including related events and impacted resources.
- Azure Log Analytics provides configurable security auditing and logging options that can help collect and analyse data generated by resources in either your cloud or on-premises environments. It provides real-time insights using integrated search and custom dashboards to readily analyse millions of records across all workloads and servers regardless of their physical location. It helps facilitate quick response and thorough investigation for any security events.
Dynamics 365
We regularly maintain and update Dynamics 365 (online) to ensure security, performance and availability, and to provide new features and functionality. From time to time, we also respond to service incidents. For each of these activities, the Dynamics 365 administrator for your organisation receives email notifications. During a service incident, a Dynamics 365 (online) customer service representative may also call and follow up with an email. See the full details of our policies and communications for Dynamics 365 on TechNet.
Enterprise Mobility +Security (EMS)
Our comprehensive threat intelligence uses cutting-edge behavioural analytics and anomaly detection technologies to uncover suspicious activity and pinpoint threats—both on-premises and in the cloud. That includes known malicious attacks (such as Pass the Hash, Pass the Ticket) and security vulnerabilities in your system. You can take immediate action against detected attacks and streamline recovery with powerful support. Our threat intelligence is enhanced with the Microsoft Intelligent Security Graph, driven by a vast number of datasets and machine learning in the cloud:
- Microsoft Advanced Threat Analytics (ATA) is an on-premises product to help IT security professionals protect their organisation from advanced targeted attacks by automatically analysing, learning, and identifying normal and abnormal entity (user, devices, and resources) behaviour. ATA identifies advanced persistent threats (APTs) on-premises by detecting suspicious user and entity behaviour (devices and resources), using machine learning and information in on-premises Active Directory, SIEM systems, and Windows Events logs. It also detects known malicious attacks (such as Pass the Hash). Finally, it provides a simple attack timeline with clear and relevant attack information, so you can quickly focus on what is important.
- Cloud App Security provides threat protection for your cloud applications that’s enhanced with vast Microsoft threat intelligence and research. You can identify high-risk usage, security incidents, and detect abnormal user behaviour to prevent threats. Cloud App Security advanced machine learning heuristics learn how each user interacts with each SaaS application and, through behavioural analysis, assesses the risks in each transaction. This includes simultaneous logins from two countries, the sudden download of terabytes of data, or multiple failed login attempts that may signify a brute force attack.
- Azure Active Directory (Azure AD) Premium provides identity-level threat detection in the cloud. Azure AD monitors application usage and protects your business from advanced threats with security reporting and monitoring. Access and usage reports provide visibility into the integrity and security of your organisation’s directory. Also, Azure AD provides identity protection with notifications, analysis, and recommended remediation.
Read more: Download the white paper on supporting your EU GDPR compliance journey with Microsoft EMS
Office and Office 365
Office 365 features several capabilities that help you identify and respond when a data breach occurs:
- Threat Intelligence helps you proactively uncover and protect against advanced threats in Office 365. Deep insights into threats—available in part because of Microsoft’s global presence, the Intelligent Security Graph, and input from cyber threat hunters—help you quickly and effectively enable alerts, dynamic policies and security solutions.
- Advanced Security Management enables you to identify high-risk and abnormal usage, alerting you to potential breaches. In addition, it allows you to set up activity policies to track and respond to high-risk actions and suspicious activity. And you can also get productivity app discovery, which lets you use the information from your organisation’s log files to understand and act on your users’ app usage in Office 365 and other cloud apps.
- Advanced Threat Protection for Exchange Online helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email.
SQL Server and Azure SQL Database
SQL Server and SQL Database provide a powerful set of built-in capabilities that identify when a data breach occurs:
- Auditing for SQL Database and SQL Server audit track database events and write them to an audit log. Auditing enables you to understand ongoing database activities, as well as analyse and investigate historical activity to identify potential threats or suspected abuse and security violations.
- SQL Database Threat Detection detects anomalous database activities indicating potential security threats to the database. Threat Detection uses an advanced set of algorithms to continuously learn and profile application behaviour, and notifies immediately upon detection of an unusual or suspicious activity. Threat Detection can help you meet the data breach notification requirement of the GDPR.
Windows and Windows Server
Windows Defender Advanced Threat Protection (ATP) enables your security operations teams to detect, investigate, contain and respond to data breaches on your network. With Windows Defender ATP, you gain advanced breach detection, investigation and response capabilities across all your endpoints with up to 6 months of historical data, even when endpoints are offline, outside of the network domain, have been reimaged, or no longer exist. Windows Defender ATP helps you fulfill a key requirement of the GDPR, which is having clear procedures for detecting, investigating and reporting data breaches.
Next step: Report
Find out more about Securing your Data
Find out more about Safeguarding your Infrastructure
Find out more at a GDPR Cloud workshop